Daum Ergo Bike Reverse Engineering

Last update: 2018-10-05 18:03


This page is a collection of software and documentation related to the Daum Premium 8i indoor bike. The bike has some properties that makes it an interesting research target:

However, there a number undocumented areas:

On this page I'm going to document my findings and progress.

EPP file format

The bike uses EPP files to control the training. E.g. the duration and power curve or the elevation over distance curve for a training can be defined with an EPP file. Daum provides the program DPPEdit for Windows (32bit), last release January 2008, to create and modify EPP files. It only allows to import HAC4 elevation and heart rate profiles.

To be able to convert GPX files directly into EPP elevation profiles, I've reverse engineered the file format and created simple converter in Python. The eppconvert package can be found on GitHub and on PyPI.


Telnet Access

By default the telnet demon is enabled on port 23. Unfortunately there is no username/password published. Enabling root access is fairly simple though. Search the mw001 application that is part of the update zip file for consecutive sequences of ASCII numbers:

strings mw001 | egrep '^[0-9]{6}$'

One of them might be the PIN for the service menu. Within the service menu there is an option to enable telnet, which will also display the configured root password. I believe the password is unique for each bike or will be generated when enabling telnet.

A word of warning: the settings exposed in the service menu could potentially damage your bike. Also root access to the device can make the control panel unbootable and you could void your warranty. So stay away from these settings if you can't risk that.

Control Protocol

TCP port 51955 runs the control protocol. The socket belongs to the mw001 application that also controls the user interface on the control panel.

Parts of the control protocol are documented. I've done some initial tcpdump of the communication between ergo_win race and the bike. During the first few exchanges some data is transferred that looks very much like an EPP file without parts of the header. Needs further analysis.

Cockpit Processor and Linux

Next Steps